Thursday, 2016-01-07

bknudson_I think the reason ksa is failing is because deprecated_opts in config is supposed to be cfg.DeprecatedOpt , not a cfg.Opt.00:00
*** spzala has joined #openstack-keystone00:02
*** ninag has joined #openstack-keystone00:03
openstackgerritTimothy Symanczyk proposed openstack/oslo.policy: Don't crash on RoleCheck when roles not present
*** spzala has quit IRC00:06
*** dims_ has quit IRC00:07
bknudson_jamielennox: you around?00:08
*** ninag has quit IRC00:08
*** itlinux has quit IRC00:10
*** itlinux has joined #openstack-keystone00:11
bknudson_jamielennox: is it intentional that ksa1.loading.Opt()'s deprecated= parameter takes a list of ksa1.loading.Opt?00:12
bknudson_I'm asking because oslo_config's Opt takes a list of oslo_config.cfg.DeprecatedOpt, not a list of Opt.00:14
jamielennoxbknudson_: i'm here00:15
jamielennoxyea, but we don't have access to oslo_config from ksa, so Opt is really our only choice00:16
jamielennoxi guess we could have made a ksa.DeprecatedOpt, but it's the same without a type00:16
bknudson_DeprecatedOpt is nothing like Opt00:16
jamielennoxthe register_conf stuff converts correctly from Opt to DeprecatedOpt00:16
jamielennoxbknudson_: is it causing problems or just a strange conversion?00:18
bknudson_the only references to DeprecatedOpt is in docstrings.00:18
bknudson_jamielennox: it is causing problems --
openstackgerritMerged openstack/keystone: Add `type' filter for list_credentials_for_user
bknudson_hmm... DeprecatedOpt is referenced in test_deprecated.00:21
bknudson_but it's not referenced in any of the non-test code00:21
*** fangxu has quit IRC00:22
jamielennoxbknudson_: that seems wrong00:22
jamielennoxbknudson_: that whole patch00:22
jamielennoxa ksa.Opt is not a oslo_config.Opt - they are different objects and they aren't supposed to be interchangable00:23
jamielennoxi don't want the headache of trying to keep ksa up to date with oslo.config00:23
bknudson_here's hte change in master:
bknudson_I thought when we talked about this earlier there was going to be a new project or something.00:24
jamielennoxyea, i mean the change to master as well00:24
bknudson_oh, but that was built on the original change...00:24
jamielennoxthe only reason i can see that they came across this problem is they were trying to register ksa Opts directly into oslo_config00:24
jamielennoxbknudson_: the conversion function does the right thing:
*** doug-fish has quit IRC00:26
bknudson_oh... when was that changed?00:26
bknudson_you fixed it!
bknudson_we need that in stable/liberty00:27
jamielennoxi didn't know there was a stable/liberty of ksa00:27
bknudson_although we have to squash both... I'll propose that since that should fix it.00:28
bknudson_we made a stable/liberty even though nobody was using it.00:28
bknudson_now it's broken.00:28
jamielennoxi'd quite like to revert that original patch - it seems to be masking a bigger issue00:28
jamielennoxmordred, notmorgan: do you know where this stemed from?00:29
notmorganjamielennox: huh?00:30
jamielennoxthere's a function for converting ksa->oslo_config opts:
jamielennoxwe really should not be registering ksa.Opt directly as an oslo_config Opt00:31
notmorganisn't that what the .to_oslo or whatever that was?00:31
jamielennoxthat's a private function on the Opt, we could probably make it public but i didn't see why people would use it directly00:32
notmorganthere is a stable liberty of ksa?00:33
* notmorgan feels like i should know that.00:33
bknudson_we can see if this passes:
notmorganwell ksa is not becoming dependant on oslo.config00:33
bknudson_I was able to recreate locally and those changes fixed it, so should work.00:33
notmorganso, we need a way around this issue00:34
notmorganjamielennox: ^00:35
notmorganreverting may or may not be the riht answer either00:35
jamielennoxnotmorgan: it's fine how it is, it doesn't have a dep and won't get one00:35
jamielennoxnotmorgan: but the fact that mordred hit that issue means he was misusing the ksa Opts00:36
notmorganjamielennox: right00:36
jamielennoxnotmorgan: i thought you might have known how/what/where00:36
notmorgannot sure00:36
notmorganoff the top of my head00:36
jamielennoxwas it in a release?00:37
jamielennoxthere should be an easy way to answer that question without trolling logs00:37
jamielennoxtrawling ?00:37
jamielennoxbah - specifically that commit was tagged as 2.1.000:38
bknudson_write something better and then we can deprecate the old stuff00:39
bknudson_then get rid of it in keystoneauth200:39
bknudson_in 202000:40
jamielennoxlol, keystoneauth200:40
bknudson_I thought mordred's change was before jamielennox's, turns out jamielennox made the deprecated fix first:
bknudson_I don't know if we need both to get stable/liberty passing. we'll see.00:46
jamielennoxbknudson_: ideally if i propose the revert at least we'd see where the misuse was00:46
bknudson_it was glance-api that failed to start due to the deprecatedOpt issue00:47
*** shoutm_ has joined #openstack-keystone00:48
bknudson_so I'd suggest starting there00:48
*** shoutm has quit IRC00:50
*** gyee has quit IRC00:54
*** dims has joined #openstack-keystone00:56
*** spzala has joined #openstack-keystone00:56
*** spzala has quit IRC01:00
*** spzala has joined #openstack-keystone01:06
*** EinstCrazy has joined #openstack-keystone01:07
*** boris-42 has quit IRC01:13
*** _zouyee has joined #openstack-keystone01:14
*** _cjones_ has quit IRC01:18
*** shoutm_ has quit IRC01:21
*** shoutm has joined #openstack-keystone01:22
stevemarback online now01:26
stevemarbknudson_: just read the scroll back on the ksa issue01:27
stevemari dont have much to add :(01:27
stevemarbknudson_: oh a new error01:33
stevemarAttributeError: 'AccessInfoV3' object has no attribute 'bind'01:33
stevemarmaybe we need or
*** itlinux has quit IRC01:35
stevemarerr *this* one:
mnaserwell, we're finally integrating keystone with our billing system for auth with openid connect.  in our billing system, we have the tenant ID of each user stored.  if we extend our openid info to include that, will I be able to use the mappings to map to a specific tenant id? -- are pretty .. difficult to read01:36
mnaseror will we have to re-engineer or stuff at our side to expose the user_id and map that directly?01:37
stevemarmnaser: the mappings only map to a specific group, which could have a role to a specific tenant01:37
stevemarso you can't say "everyone who has X open id connect property has a role on this tenant/project"01:38
stevemaryou can say "everyone who has X open id connect property is a member of group Y in keytone"01:38
stevemarand make group Y have a role on a tenant/project01:38
stevemarthe reasoning is, identity stuff should map to identity stuff01:39
mnaserso id have to create a group for every single tenant01:39
stevemarmnaser: i think it's gonna depend on how you want it setup01:41
*** _zouyee has quit IRC01:41
mnaseri mean if we're going to do all these changes, i dont mind "doing it right", so if it means leaving our current single user assigned to single tenant per user, then we'll do that01:42
*** spzala has quit IRC01:42
mnaserwe'll just have to make sure we can do that without breaking existing behaviour01:42
*** spzala has joined #openstack-keystone01:54
*** jasonsb has joined #openstack-keystone02:08
openstackgerritMerged openstack/oslo.policy: Updated from global requirements
openstackgerritJamie Lennox proposed openstack/keystone: Perform middleware tests with webtest
openstackgerritJamie Lennox proposed openstack/keystone: Make AuthContext depend on auth_token middleware
*** shoutm has quit IRC02:18
*** lhcheng_ has quit IRC02:23
*** shoutm has joined #openstack-keystone02:24
*** fawadkhaliq has joined #openstack-keystone02:28
*** shoutm has quit IRC02:30
*** shoutm has joined #openstack-keystone02:35
openstackgerritMerged openstack/keystoneauth: Updated from global requirements
openstackgerritMerged openstack/keystone: Deprecated tox -downloadcache option removed
openstackgerritMerged openstack/keystone: Cleanup tox.ini py34 test list
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements
openstackgerritMerged openstack/pycadf: Updated from global requirements
stevemarman there were a lot of merges today02:57
*** dims has quit IRC02:58
*** spandhe has quit IRC03:02
openstackgerritMerged openstack/keystone: remove irrelevant parenthesis
*** boris-42 has joined #openstack-keystone03:03
openstackgerritMerged openstack/keystone: Remove comments on enforcing endpoints for trust
openstackgerritEinst Crazy proposed openstack/pycadf: Fix wrong use of comma
*** links has joined #openstack-keystone03:10
*** links has quit IRC03:10
*** edmondsw has quit IRC03:12
*** links has joined #openstack-keystone03:12
notmorganstevemar: yeah03:14
stevemarnotmorgan: ahoy matey03:14
openstackgerritHenrique Truta proposed openstack/keystone: Make project.domain_id column nullable
*** richm has quit IRC03:48
*** fawadkhaliq has quit IRC03:49
openstackgerritFernando Diaz proposed openstack/keystone: Opt-out certain Keystone Notifications
openstackgerritMerged openstack/python-keystoneclient: Support `truncated` flag returned by keystone
*** shoutm has quit IRC04:02
openstackgerritHenrique Truta proposed openstack/keystone: Change project unique constraint
openstackgerritHenrique Truta proposed openstack/keystone: Removes project.domain_id FK
*** shoutm has joined #openstack-keystone04:10
stevemarbknudson_: aroundish? i think i finally figured out the chain of patches necessary for stable/liberty of ksa04:11
stevemarbknudson_: check out when you get a chance, and the string of patches it has04:12
*** _zouyee has joined #openstack-keystone04:28
*** topol has joined #openstack-keystone04:30
*** ChanServ sets mode: +v topol04:30
*** topol has quit IRC04:35
*** jaosorior has joined #openstack-keystone04:45
*** dave-mccowan has quit IRC04:50
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements
*** shoutm_ has joined #openstack-keystone05:03
*** shoutm has quit IRC05:04
*** teju has joined #openstack-keystone05:13
*** EinstCrazy has quit IRC05:14
*** EinstCrazy has joined #openstack-keystone05:14
teju Hi, I changed the token expiration in [token] section of keystone.conf file. What is the command to restart keystone in Kilo for RHEL?05:15
jamielennoxteju: it depends if you're running via apache or eventlet,05:16
jamielennoxit'll either be systemctl restart httpd or systemctl restart openstack-keystone respectively05:16
teju+jamielennox : ok, is there a way to find whether I am running apache or eventlet, I am not sure because I am installing RHEL OpenStack Platform 7 for the first time05:17
jamielennoxteju: normally just ps aux | grep keystone will give you info05:18
jamielennoxeither you'll see a keystone-all bin, or likely the apache server is using the keystone user so you'll see that05:19
tejukeystone 23763  0.7  0.0 347712 69692 ?        Ss   Jan04  31:41 /usr/bin/python /usr/bin/keystone-all05:19
jamielennoxok, that's eventlet05:20
*** EinstCra_ has joined #openstack-keystone05:20
*** fawadkhaliq has joined #openstack-keystone05:20
*** jdennis has joined #openstack-keystone05:21
teju+jamielennox : ok, is there a way to know the keystone token expiration value other than from conf file?05:21
jamielennoxteju: you will be able to test it from the expiry that is in the token data05:22
*** jdennis1 has quit IRC05:22
*** EinstCrazy has quit IRC05:23
teju+jamielennox :    expires : 2016-01-07T09:22:45Z05:24
teju +jamielennox : my system time is Thu Jan  7 00:22:49 EST 201605:24
teju+jamielennox : from the above two outputs, is the token expiration time 9 hours?05:25
jamielennoxlooks like05:26
teju+jamielennox : however, the expiration value in conf file is 14400  = 4 hours05:27
*** jasonsb has quit IRC05:28
jamielennoxteju: actually it's not05:29
jamielennoxyour system time is in EST and expires will always be in UTC05:30
jamielennox(i don't know if that gives 4 hours)05:30
jamielennoxcurrent utc is 05:30 so it is 4 hours05:31
*** shoutm has joined #openstack-keystone05:33
teju+jamielennox : thanks , UTC = EST + 5hours05:33
*** shoutm_ has quit IRC05:34
teju+jamielennox: so, token expiration = 9-5 = 4; that makes sense....thanks05:34
*** shoutm_ has joined #openstack-keystone05:37
*** GB21 has joined #openstack-keystone05:38
*** shoutm has quit IRC05:38
lbragstadhenrynash around?05:44
*** henrynash has quit IRC05:50
*** shoutm_ has quit IRC06:00
*** shoutm has joined #openstack-keystone06:03
*** jasonsb has joined #openstack-keystone06:04
*** jasonsb has quit IRC06:09
*** markvoelker has quit IRC06:11
*** ankit_ag has joined #openstack-keystone06:24
ankit_agHii all, Can someone please help reviewing and to add opinion about separating unit test cases from the bug fix06:25
*** shoutm_ has joined #openstack-keystone06:30
*** shoutm has quit IRC06:30
*** agireud has quit IRC06:38
*** PsionTheory has quit IRC06:38
*** agireud has joined #openstack-keystone06:44
*** vgridnev has joined #openstack-keystone06:48
*** shoutm has joined #openstack-keystone06:58
*** shoutm_ has quit IRC07:01
openstackgerritAnkit Agrawal proposed openstack/keystone: Replace unicode with six.text_type
*** ankit_ag has quit IRC07:10
*** EinstCrazy has joined #openstack-keystone07:11
*** EinstCra_ has quit IRC07:11
*** markvoelker has joined #openstack-keystone07:11
*** ankit_ag has joined #openstack-keystone07:15
*** markvoelker has quit IRC07:16
*** belmoreira has joined #openstack-keystone07:26
*** EinstCrazy has quit IRC07:29
*** EinstCrazy has joined #openstack-keystone07:29
openstackgerritEric Brown proposed openstack/keystone: Set deprecated_reason on deprecated options
*** ninag has joined #openstack-keystone07:42
*** ninag has quit IRC07:47
*** fawadkhaliq has quit IRC08:00
*** GB21 has quit IRC08:01
openstackgerritEric Brown proposed openstack/keystone: Update man pages with Mitaka version and dates
openstackgerritlei zhang proposed openstack/keystone: Remove some unnecessary
openstackgerritMerged openstack/keystone: Some small improvements on fernet uuid handling
*** browne has quit IRC08:34
*** fhubik has joined #openstack-keystone08:59
*** GB21 has joined #openstack-keystone08:59
*** vgridnev has quit IRC09:06
*** markvoelker has joined #openstack-keystone09:12
*** markvoelker has quit IRC09:17
*** jaosorior has quit IRC09:17
*** fhubik is now known as fhubik_brb09:19
*** vgridnev has joined #openstack-keystone09:20
*** vgridnev has quit IRC09:25
*** browne has joined #openstack-keystone09:25
*** fhubik_brb is now known as fhubik09:26
*** browne has quit IRC09:28
*** GB21 has quit IRC09:30
*** GB21 has joined #openstack-keystone09:31
*** oomichi has quit IRC09:32
*** jaosorior has joined #openstack-keystone09:32
*** daemontool has joined #openstack-keystone09:32
*** jistr has joined #openstack-keystone09:41
*** mhickey has joined #openstack-keystone09:43
samueldmqmorning keystoners09:47
*** GB21 has quit IRC09:54
*** GB21 has joined #openstack-keystone09:57
*** EinstCrazy has quit IRC10:07
*** fawadkhaliq has joined #openstack-keystone10:16
*** ankit_ag has quit IRC10:19
*** jaosorior has quit IRC10:34
*** jaosorior has joined #openstack-keystone10:34
*** GB21 has quit IRC10:50
*** GB21 has joined #openstack-keystone10:53
*** GB21 has quit IRC11:00
*** GB21 has joined #openstack-keystone11:02
*** lhcheng has joined #openstack-keystone11:07
*** ChanServ sets mode: +v lhcheng11:07
*** dims has joined #openstack-keystone11:10
*** GB21 has quit IRC11:10
*** GB21 has joined #openstack-keystone11:12
*** markvoelker has joined #openstack-keystone11:13
*** GB21 has quit IRC11:16
*** markvoelker has quit IRC11:18
marekdstevemar: so PUT operation should result in 201 OK or 204 No Content?11:28
*** GB21 has joined #openstack-keystone11:35
*** fhubik is now known as fhubik_brb11:46
*** ankit_ag has joined #openstack-keystone11:58
*** pauloewerton has joined #openstack-keystone12:02
*** markvoelker has joined #openstack-keystone12:14
*** GB21 has quit IRC12:15
*** peter-hamilton has joined #openstack-keystone12:15
*** markvoelker has quit IRC12:18
*** peter-hamilton has quit IRC12:21
*** fhubik_brb is now known as fhubik12:30
*** gordc has joined #openstack-keystone12:31
*** shoutm_ has joined #openstack-keystone12:33
*** raildo has joined #openstack-keystone12:35
*** shoutm has quit IRC12:35
*** doug-fish has joined #openstack-keystone12:38
*** ninag has joined #openstack-keystone12:48
*** ninag has quit IRC12:48
*** ninag has joined #openstack-keystone12:48
*** ninag has quit IRC12:48
openstackgerritMerged openstack/oslo.policy: Don't crash on RoleCheck when roles not present
*** shoutm_ has quit IRC12:51
*** woodster_ has joined #openstack-keystone12:54
samueldmqdstanek: morning, you around ?12:55
*** dave-mccowan has joined #openstack-keystone12:56
*** peter-hamilton has joined #openstack-keystone12:56
*** shoutm has joined #openstack-keystone12:57
*** fawadkhaliq has quit IRC13:05
*** doug-fish has quit IRC13:05
*** fawadkhaliq has joined #openstack-keystone13:05
samueldmqdstanek: I would appreciate your view on ""13:07
samueldmqWIP: Add cache layer on the top of manager13:07
*** shoutm_ has joined #openstack-keystone13:07
*** fhubik is now known as fhubik_brb13:07
samueldmqdstanek: before I put more effort on it :)13:07
*** shoutm has quit IRC13:07
*** links has quit IRC13:07
*** fhubik_brb is now known as fhubik13:09
*** fawadkhaliq has quit IRC13:15
*** fawadkhaliq has joined #openstack-keystone13:16
*** Madkiss has quit IRC13:17
*** Madkiss has joined #openstack-keystone13:17
*** Madkiss has quit IRC13:17
*** Madkiss has joined #openstack-keystone13:17
*** markvoelker has joined #openstack-keystone13:18
*** fawadk has joined #openstack-keystone13:19
*** fawadkhaliq has quit IRC13:21
*** edmondsw has joined #openstack-keystone13:22
*** doug-fish has joined #openstack-keystone13:24
*** ninag has joined #openstack-keystone13:41
openstackgerritMerged openstack/keystonemiddleware: Use oslo_config choices support
openstackgerritAnkit Agrawal proposed openstack/keystone: Expose defect in users_in_group, groups_for_user exact filters
*** doug-fis_ has joined #openstack-keystone13:53
*** wanghua has quit IRC13:53
*** doug-fish has quit IRC13:55
*** richm has joined #openstack-keystone13:55
*** fhubik is now known as fhubik_brb13:56
*** fhubik_brb is now known as fhubik13:57
*** _zouyee has quit IRC13:57
*** fhubik is now known as fhubik_brb13:59
openstackgerritOpenStack Proposal Bot proposed openstack/keystone: Updated from global requirements
*** EinstCrazy has joined #openstack-keystone14:01
*** ankit_ag has quit IRC14:02
*** GB21 has joined #openstack-keystone14:04
*** fhubik_brb is now known as fhubik14:07
*** EinstCrazy has quit IRC14:09
dstaneksamueldmq: sure14:09
*** fawadk has quit IRC14:10
samueldmqdstanek: thanks sir, really appreciated :)14:10
openstackgerritAnkit Agrawal proposed openstack/keystone: Fix users in group and groups for user exact filters
dstaneksamueldmq: i actually don't know if it's clearer to separate it that way14:12
dstaneksamueldmq: and i'm not sure it would work correctly. for instance, you deleted some code from delete_project and i think you were making the assumption that that call to the memiozer call to delete_project in _delete_domain_contents will invoke it in the new location14:14
*** jdennis1 has joined #openstack-keystone14:14
dstaneksamueldmq: but if delete_project is called directly that code will not be invoked14:14
samueldmqdstanek: yes14:16
samueldmqdstanek: I tried implementing __getattribute__ to forward calls from manager to memoizer14:16
*** jdennis has quit IRC14:17
samueldmqdstanek: as also suggested by notmorgan , but it easily got too complext when I was handling with __getattribute__ and __getattr__ at the manager14:17
*** vgridnev has joined #openstack-keystone14:17
dstaneksamueldmq: if you did want to refactor this i think the decorator pattern would be the best approach imo14:17
*** shoutm has joined #openstack-keystone14:18
notmorgandstanek: which is mostl what we are doing now. changing it to a decorator breaks the invalidates14:18
notmorgandstanek: there is a reason i put the original caching into the manager logic. the alternative was to do like dogpile does and add a "proxy" construct.14:19
notmorgansamueldmq: ^ cc14:19
dstaneknotmorgan: how would it break invalidates?14:19
notmorgandstanek: the caching logic needs to invalidate in very specific places/times14:20
samueldmqnotmorgan: proxy on the top of manager ? that's basically what I want to do I think14:20
notmorganduring updates14:20
samueldmqnotmorgan: and sometimes crossmemoizers, eg you delete a domain and invalidate role assignment cache14:20
dstaneknotmorgan: if that's truly the case then really there wouldn't be any way to refactor that would make it clearer14:21
notmorgandstanek: you could do it under the manager but... it's not easy14:21
*** shoutm_ has quit IRC14:22
notmorgani wouldn't try and do it over the manager.14:22
notmorgancaching is hard14:22
samueldmqdstanek: notmorgan: my initial motivation was ''
samueldmqAdd caching to role assignments14:23
samueldmqI find it bad to put invalidation logic of assignments on, let's say, the resource manager14:24
samueldmqso for me having another layer to treat of caching/invalidation only would make it clearer14:24
notmorgansamueldmq: this is the internall callback stuff.14:24
notmorganas well14:24
notmorgancross manager invalidation is no different than cross manager communication14:25
samueldmqexcept that we don't mix business logic with cache handling14:25
notmorganall *_api communication happens at the manager layer, a while ago we did a lot of work to push that upwards.14:25
dstaneksamueldmq: my knee jerk reaction would be that we are using the wrong abstractions or maybe we are missing some and that's why the cross manager stuff exists14:26
*** jimbaker has joined #openstack-keystone14:26
notmorganthere were drivers that did direct driver calls14:26
dstaneknotmorgan: right, we've had a lot of work to move that stuff up the layers14:26
dstaneksamueldmq: we're made an explicit design choice to allow managers to communicate14:27
samueldmqdstanek: and we aren't removing that right ? just making the *_api calls pass in the memoizer prior to getting into Manager14:29
notmorgansamueldmq: but the point is that it doesn't really make it more clear14:29
notmorganespecially since you now have manager -> memoizer -> manager -> memoizer type traces14:30
notmorgansince manager calls through to itself14:30
*** EinstCrazy has joined #openstack-keystone14:30
dstaneknotmorgan: also as i mentioned the patch in question doesn't yet implement all of the invalidation14:31
notmorgani think it makes it more complex and harder to understand.14:31
samueldmqnotmorgan: I agree this case is very confusing14:31
notmorgandstanek: i didn't even get that far14:31
notmorgansamueldmq: so, like i said, caching is hard14:31
samueldmqnotmorgan: maybe just improving the way we do it (perhaps some invalidations can just use annotations?) is the better way to go14:32
*** jsavak has joined #openstack-keystone14:32
notmorgansamueldmq: explain how the annoation works for invalidation14:32
notmorganor what you mean14:32
samueldmq@invalidate(assignment_api.get_user_roles, assignment_api.get_group_roles??14:33
notmorgandoesn't work like that14:33
samueldmqdef delete_domain(...):14:33
samueldmqand would invalidate upon success on deletion14:33
notmorganyou need in some cases to invalidate mid manager logic14:33
dstaneksamueldmq: if you have to invalidate based on state in the method you'll have to do it in the method14:33
notmorgandecorators can only work before/after14:33
*** daemontool_ has joined #openstack-keystone14:33
notmorganthis is the same issue we have with policy decorators14:33
notmorganit makes things insanely complex14:33
notmorganwe also over-use decorators14:34
samueldmqnotmorgan: I can't think of an example of mid manager logic invalidation14:34
samueldmqhey decorators are nice :-)14:34
*** daemontool has quit IRC14:34
notmorgansamueldmq: i really dislike the decorator pattern14:34
notmorganit makes it hard to know what is going on in a method14:34
dstaneksamueldmq: i'm on recording saying they are evil14:34
dstaneknotmorgan: i like the decorator pattern, but python decorators are not that14:35
notmorgan@memoize @invalidate @enforce @thing @whatever14:35
samueldmqtoo much is bad, yes14:35
notmorganwhat happenes when you stack all of those together14:35
samueldmqI got it14:35
notmorganmemoize is one of the very few cases decorators are correct14:36
samueldmqdstanek: notmorgan: so perhaps we all feel something smells bad ?14:36
bretondecorators are good, if you don't overuse them14:36
samueldmqjust don't know if something may be improved to make code clearer14:36
lbragstadnavidp I updated the bug report with our conversation from yesterday -
openstackLaunchpad bug 1522616 in OpenStack Identity (keystone) "It's possible to disable the default domain through domain update API" [Medium,In progress] - Assigned to Navid Pustchi (npustchi)14:37
notmorgansamueldmq: so assume cross manager communication is fine.14:37
notmorgansamueldmq: this means cross manager invalidation *can* exist.14:37
notmorganmanagers can inter-depend14:37
lbragstadcc stevemar ^14:37
notmorganif you're adding caching to roles, add it in the current model. refactoring the whole caching system is a big ordeal and i think needs more baking/thought14:38
dstanekbreton: i only like decorators for annotating functions and not for really business performing logic14:38
*** jasonsb has joined #openstack-keystone14:38
*** topol has joined #openstack-keystone14:38
*** ChanServ sets mode: +v topol14:38
notmorganit seems that refactoring caching is going to make life a lot harder and shouldn't block real improvements14:38
notmorganbreton: what dstanek said14:38
notmorgandstanek: as much as i don't want to work on server, i think i'm going to break the policy enforce decorator today14:39
notmorgandstanek: as it'll greatly improve understanding enforcement14:39
*** EinstCrazy has quit IRC14:40
bretondstanek: how's the work on dependency injection going btw?14:40
* samueldmq is looking forward, making popcorn14:40
notmorgandstanek: so we're back to directly calling enforce. the enforce decorator should just be something like @ensure_enforcement, which will error [dev time test] if enforcement didn't occur where it should14:40
notmorganor just bake that into the controller?14:40
notmorganfor all router->controller methods14:41
* notmorgan keeps looking at the long list of tech debt.14:41
dstaneknotmorgan: that'll be interesting to see14:42
samueldmqthis keystone is harder than my weekend project, arrgh14:42
*** jasonsb has quit IRC14:43
dimssamueldmq : LOL :)14:43
dstanekbreton: i have so many patches i'm working on now it's hard to keep up. ask me on Monday :-)14:43
*** petertr7_away is now known as petertr714:43
samueldmqdims: but also allows me to learn, so I am fine :)14:43
notmorgandstanek: so i think break enforcer, make controller ensure enforcement on annotated methods? or make the annotation directly ensure enforcement?14:43
*** slberger has joined #openstack-keystone14:44
samueldmqdstanek: my list is fine now after abandoning all dynamic-crazy-policy stuff14:44
openstackgerritayoung proposed openstack/keystone-specs: Time-based One-time Password
dstaneknotmorgan: it would be nice for the controller to not care about enforcement. it would know just about taking web-stuff and calling api stuff14:47
*** fawadkhaliq has joined #openstack-keystone14:47
notmorgandstanek: right. but we need enforcement somewhere14:48
notmorgandstanek: and enforcement needs to happen based upon ownership in some cases.14:48
notmorganso we need to do "get item" then enforce("on item")14:49
dstaneknotmorgan: yeah, i'd actually love to have an enforcement later, but i don't think that would be possible here14:49
notmorgandstanek: i could push enforcement down to the end before return, but i think that breaks our general desire for "fail fast"14:50
notmorganthe design question is... should we ever enforce early?14:50
notmorganif the answe is no, then it becomes easy.14:51
*** shoutm has quit IRC14:51
notmorgani can bake a little logic into the controller baseclass that enforces based upon what is in policy but we may incur extra overhead14:51
*** jsavak has quit IRC14:51
notmorganbecause we'll make calls to the backend.14:51
ayoungnotmorgan, ar not a-priori against TOTP, right, just that this was attempting to munge TOTP and MFA into a single auth plugin, and they are really separate issues?14:52
notmorganeven after a point we could bail out due to enforce failure14:52
notmorganayoung: correct.14:52
ayoungnotmorgan, OK,....I think I got 2/3rds of the way there in that last edit.14:52
notmorganayoung: i am fine with a TOTP auth method as long as we cover imortant things like secerts, totp implementation [google auth?], etc14:53
ayoungnotmorgan, I think I want to go back, drop the password plugin, and add the password value to the TOTP auth plugin and it should be acceptable14:53
* ayoung goes back to edit14:53
notmorganayoung: if we say encryption is happening, outline the basics for what that means you know, the standard cover the bases on what is being put together14:54
notmorganayoung: also we should be clear that this is meant to be used in lieu of password vs in combination [until we solve the MFA issues that this spec doesn't solve]14:54
notmorganayoung: but that is a doc thing.14:54
ayoungnotmorgan, So...I think that this is a couple specs.  One is saying "we will support a TOTP interface for auth plugins, and it will have the following fields."14:54
notmorganayoung: hopefully that is fairly straightforward :)14:55
ayoungnotmorgan, the second would be "google TOTP implementation" or alternative?14:55
*** petertr7 is now known as petertr7_away14:55
*** zqfan has joined #openstack-keystone14:55
notmorganayoung: ok let me read your spec so i understand what that first one is. the first one sounds like a meta-spec again?14:56
ayoungnotmorgan, wait one14:56
ayoungnotmorgan, I'm doing an additional edit.14:56
ayoungI am dropping the password plugin from the example14:56
notmorganayoung: or is it "put scafolding in for totp within password / other plugins?"14:56
dstaneknotmorgan: is the only benefit of early enforcement to save CPU?14:56
notmorgandstanek: CPU, db queries, etc14:57
notmorganayoung: so if it's just adding a totp plugin, i think you can merge "support totp and impl"14:59
openstackgerritayoung proposed openstack/keystone-specs: Time-based One-time Password
notmorganayoung: because totp is no different than any other plugin, unless you're talking about doing something more generic and a keystone will only support a specific totp plugin at a time15:00
*** GB21 has quit IRC15:01
*** GB21 has joined #openstack-keystone15:01
ayoungnotmorgan, so, I can see a need for a couple different TOTP plugin implementations.  My one concern is that, as Keystone is now written, it can only support a single one.15:02
notmorganayoung: right15:02
notmorganayoung: and from a strict interop perspective.... maybe it should only support one?15:02
ayoungnotmorgan, we really should do one plugin per idp.  But I don't want to do this kind of code in python unless we absoposilutletly have to15:03
*** dslev has joined #openstack-keystone15:03
notmorganayoung: ah but idp should handle that.15:03
ayoungnotmorgan, what if....we say TOTP is a protocol, and we have to use Federation for it.15:03
notmorganwe shouldn't need a plugin. the IDP that does auth should unless you're back into token bind15:04
*** rderose has joined #openstack-keystone15:04
notmorganfree ipa hould handle  totp when authing for example.15:04
notmorganas it does15:04
notmorgankeystone shouldn't care about totp in that case15:05
ayoungThen make a middleware piece that can do the TOTP validation, and have a separate paste pipeline for that IdP15:05
ayoungI realize that sucks because reboot, but, no different than we have today with config changes anyway15:05
notmorgani'm not clear what totp is meant to do here.15:05
notmorganit seems like something that keystone shouldn't care about based upon what you just said15:05
*** woodster_ has quit IRC15:06
ayoungnotmorgan, yes, if you have an apache module that can do TOTP, we can do this today.15:06
notmorganno, why are we doing totp at all in keystone?15:07
notmorganif the idp is meant to handle totp, we have nothing to do15:07
*** mserngawy_ has joined #openstack-keystone15:07
ayoungnotmorgan, Because if the only tool you have is Duck tape, everything looks like a Duck.15:07
notmorganif this is meant to be totp as an alternative to password, it is a simple auth plugin15:07
ayoungright...that is how I rewrote the spec15:07
notmorganif this is totp like MFA in google apps for example, it is part of the password plugin15:08
notmorganso if it is a simple auth plugin, call it by the implementation or say keystone supports one and only one totp option for internal auth15:09
*** teju has quit IRC15:09
*** jsavak has joined #openstack-keystone15:09
notmorganso either "google totp" or "totp" in the latter case, if another impl is used, you pick if you support google or other impl15:09
*** doug-fis_ is now known as doug-fish15:11
notmorganif that makes sense15:11
*** shoutm has joined #openstack-keystone15:13
openstackgerritMerged openstack/pycadf: Fix wrong use of comma
*** topol_ has joined #openstack-keystone15:14
*** ChanServ sets mode: +v topol_15:14
ayoungnotmorgan, I think we need to say that TOTP is a separate mechanism if-and-only-if it has to be implemented in python and deployed in a system that has to continue to use the existing password plugin15:15
*** jasonsb has joined #openstack-keystone15:15
notmorganayoung: i don'tthink that makes it more clear to me.15:16
*** topol has quit IRC15:17
notmorganayoung: so totp is in addition to <other plugin> or in lieu of <other plugin>?15:17
ayoungI think that totp is in addition to password.15:18
ayoungnotmorgan, note, I do not have a dog in this race15:18
ayoungI don't even have a dog15:18
ayoungA dog would be nice, if only it was asleep on the floow and I could warm my feet under her.15:18
notmorganayoung: right you and i both. I am just trying to make sure we don't end up with some useless boondoggle of code.15:18
ayoungIt is cold in Mass today15:18
notmorganayoung: and that is my concern with the previous proposal.15:19
ayoungnotmorgan, so, I want the v3/auth stuff to go away, and only use the federation paths15:19
bknudson_99% of keystone is useless boondoggle15:19
notmorganayoung: i'ts not that cold in PDX today. mid 30s.15:19
notmorganbknudson_: rm -rf all of it15:19
ayoungnotmorgan, I work in the basement of my house.  MOstly comforatble, but it  is a thin carpet over concrete, and my feet get cold.15:20
*** med_ has quit IRC15:20
*** med_` has joined #openstack-keystone15:20
* notmorgan looks at weird wifi lag spikes when firefox is running [not when a page is loaded]15:20
*** timcline has joined #openstack-keystone15:23
notmorganayoung: so i think... we just add a hook into the auth plugins to accept any form of MFA. we implement a google auth totp example one.15:23
ayoungbknudson_, I had battery operated socks one, back in the 80s.15:24
notmorganayoung: and we pass down "is_totp_authed" if it passes. we can then just do a normal enforce on "require_MFA" and hook into that for the "this domain needs mfa" type construct15:25
ayoungnotmorgan, I think I want to kill it.  THe /auth approch is making us reimplement things that should be done at the web layer.15:25
ayoungThe issue is for things that need to be done in python;15:25
notmorganayoung: my suggestion is going with the supposition that we need MFA in keystone15:25
ayoungand there...I want multiple paste pipelines, or something like it, that can then have a custom middleware15:25
notmorganayoung: no. please don't make paste more involved :(15:26
notmorganit's already awful15:26
ayoungnotmorgan, then remove it 100%15:26
notmorganwe are headed that way15:26
ayoungdon;t leave us stuck with something in the middle that sucks but is required15:26
notmorganalmost all of keystone is in one entry now afaict15:26
ayoungbut, I stnd by the concept of some configurable path with a way to set REMOTE_USER from python code15:27
notmorganpaste is code not config as far as i am concerned15:27
ayoungheh, it certainly is the way we use it15:27
notmorganwhich is why we've been moving towards making it less relevant15:28
ayoungbut I was talking about using it actually as config.15:28
notmorganlets not encourage that15:28
ayoungwhatever...we can do it in the config file, I don't care.  Or using henry's db config if that makes sense.15:28
notmorganfwiw, there is a google auth apache module last i looked (or something like it)15:28
ayoungbottom line is we need a way to say "POST /id/x/protocol/y/  executes this code to set REMOTE_USER15:29
*** tonytan4ever has joined #openstack-keystone15:29
*** breitz has quit IRC15:30
notmorganonly looks like it works with HTTP auth15:30
*** breitz has joined #openstack-keystone15:30
notmorganok. so back to where we are today15:32
notmorganvs. where we would like to be15:32
notmorganis TOTP just an alternative auth mech to password?15:32
notmorganis that all we care about today?15:32
notmorganbecause that is waht gyee was pushing for15:32
notmorganor is it something we hook into for our auth code paths when issuing a token? - going down the path of the REMOTE_USER thing is separate and wont solve today issues / the reason MFA keeps coming up15:34
*** dims_ has joined #openstack-keystone15:35
ayoungnotmorgan, Iff he needs it, then yes.  Alternative to password, to be able to distinguish between the two on a request15:35
ayoungnotmorgan, so...I say we drop MFA as a standa lone topic.15:35
ayoungTOTP, while it is an MFA approach, is a single mechanism15:36
notmorganayoung: he doesn't need it, he just sees it as a means to get MFA baked in - but imo auth plugins are poorly implemented in keystone server atm and it's the wrong approach to just add another form.15:36
ayoungwe don't want to have to wire together "password + this-other-method" at the Keystone level15:36
*** dims has quit IRC15:36
*** nonameentername has quit IRC15:36
ayoungkeep the -2...if we resurrect, it should be along the lines I wrote up there.  Deal?15:36
notmorganayoung: sounds good. will hold the -2 for now and we can discuss rest of this week/next meeting15:37
*** nonameentername has joined #openstack-keystone15:38
*** sigmavirus24_awa is now known as sigmavirus2415:42
*** henrynash has joined #openstack-keystone15:43
*** ChanServ sets mode: +v henrynash15:43
*** itlinux has joined #openstack-keystone15:50
*** jimbaker has quit IRC15:51
*** jimbaker has joined #openstack-keystone15:52
*** shoutm has quit IRC15:52
*** jimbaker has quit IRC15:52
*** jimbaker has joined #openstack-keystone15:52
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity
*** phalmos has joined #openstack-keystone15:58
*** shoutm has joined #openstack-keystone16:01
openstackgerritRon De Rose proposed openstack/keystone: Shadow users: unified identity
*** tsymanczyk has quit IRC16:03
*** shoutm has quit IRC16:04
*** itlinux has quit IRC16:05
openstackgerritayoung proposed openstack/keystone: backend for implied roles
openstackgerritayoung proposed openstack/keystone: Implied Roles API
*** itlinux has joined #openstack-keystone16:07
ayoungthere is something wonky with the rebase logic on new Gerrit.16:11
*** woodster_ has joined #openstack-keystone16:13
openstackgerritayoung proposed openstack/keystone: Implied Roles API
openstackgerritayoung proposed openstack/keystone: backend for implied roles
ayoungGuys, can we at least get  in so the rebase hell can settle down?16:15
bknudson_stevemar: -- I squashed the 3 changes, so should pass.16:16
*** topol has joined #openstack-keystone16:16
*** ChanServ sets mode: +v topol16:16
*** topol_ has quit IRC16:18
*** csoukup has joined #openstack-keystone16:18
*** fhubik has quit IRC16:19
*** itlinux has quit IRC16:22
*** tonytan4ever has quit IRC16:24
*** itlinux has joined #openstack-keystone16:25
*** tonytan_brb has joined #openstack-keystone16:26
openstackgerritMarek Denis proposed openstack/keystone: Service Providers and Projects associations
stevemarbknudson_: thanks for squashing the changes16:26
stevemari didn't want to trample on your patch16:27
*** rderose has quit IRC16:27
*** rderose has joined #openstack-keystone16:28
*** rderose has quit IRC16:33
*** belmoreira has quit IRC16:34
*** med_` is now known as med_16:39
*** med_ has quit IRC16:39
*** med_ has joined #openstack-keystone16:39
*** med_ is now known as med16:40
openstackgerritayoung proposed openstack/keystone: backend for implied roles
*** med is now known as med_16:40
*** thiagop has quit IRC16:44
*** diazjf has joined #openstack-keystone16:44
*** thiagop has joined #openstack-keystone16:45
*** thiagop has left #openstack-keystone16:45
*** dslev has quit IRC16:47
*** KarthikB has joined #openstack-keystone16:47
*** lhinds has joined #openstack-keystone16:49
*** itlinux has quit IRC16:52
*** gyee has joined #openstack-keystone16:55
*** ChanServ sets mode: +v gyee16:55
*** itlinux has joined #openstack-keystone16:57
*** dims has joined #openstack-keystone16:59
*** _cjones_ has joined #openstack-keystone17:00
htrutajamielennox: are you around?17:01
*** dims_ has quit IRC17:02
*** phalmos has quit IRC17:03
*** tsymanczyk has joined #openstack-keystone17:04
*** tsymanczyk is now known as Guest2620917:05
*** rderose has joined #openstack-keystone17:06
*** daemontool_ has quit IRC17:06
openstackgerritHarshada Mangesh Kakad proposed openstack/keystone: Replace deprecated library function os.popen() with subprocess
*** jsavak has quit IRC17:08
*** spzala has quit IRC17:09
*** itlinux has quit IRC17:10
*** jsavak has joined #openstack-keystone17:10
*** GB21 has quit IRC17:11
*** itlinux has joined #openstack-keystone17:11
lbragstadnavidp ping (re - )17:12
openstackLaunchpad bug 1522616 in OpenStack Identity (keystone) "It's possible to disable the default domain through domain update API" [Medium,In progress] - Assigned to Navid Pustchi (npustchi)17:12
lbragstadnavidp I tried to summarize the outcomes of the discussion yesterday17:12
lbragstadand from my perspective, they boiled down to two options17:13
openstackgerritMichael Krotscheck proposed openstack/keystone: Added CORS support to Keystone
lbragstadnavidp i think either of those options would close out the bug17:17
navidplbragstad, second option as "re-enable the default domain, and this would have to live within the keystone-manage functionality."17:18
navidpcan be added to keystone-manage
navidplbragstad, somethiing like get_default_domian re_enable it17:20
lbragstadnavidp yes17:21
*** rderose has quit IRC17:22
*** fellypefca has joined #openstack-keystone17:23
notmorgannavidp: that seems reasonable17:25
lbragstadnavidp then the logic of that command would just check to ensure that the domain is enabled in the backend17:26
notmorgani don't like this needing keystone-manage to fix it.17:26
navidpnotmorgan, suggestions?17:26
navidplbragstad, YES17:27
notmorgani would make it impossible to disable default domain17:27
notmorganvia the api17:27
notmorganand make the internal get_default_domain re-enable it17:27
*** sigmavirus24 is now known as sigmavirus24_awa17:27
lbragstadnotmorgan so you would be in favor of the first option detailed in the comment i left on the bug
openstackLaunchpad bug 1522616 in OpenStack Identity (keystone) "It's possible to disable the default domain through domain update API" [Medium,In progress] - Assigned to Navid Pustchi (npustchi)17:27
notmorganlbragstad: yes17:28
navidpnotmorgan, then
notmorganrequiring an out of band command  to "fix" an issue that we cant run w/o is incorrect17:29
lbragstadnotmorgan so you'd rather see that then what henrynash was describing yesterday?17:29
lbragstador gyee ?17:29
notmorganwhat was henrynash or gyee describing?17:30
*** jsavak has quit IRC17:30
notmorganif we can't run with the default domain disabled, we prevent it being disabled17:30
lbragstadnotmorgan the out of band process involving keystone-manage17:30
*** browne has joined #openstack-keystone17:30
notmorgandefault domain is magic17:30
notmorganso much magic17:30
*** jsavak has joined #openstack-keystone17:30
notmorganout of band to "fix" something that breaks keystone fundamentally, is not a good approach17:31
*** diazjf has quit IRC17:32
navidpnotmorgan, so basically 1. dont let it be disabled 2. use keystone-manage to re-enable it, you support (1) ?17:32
navidpnotmorgan, ok then what should i do get this which does #1 to be accepted?17:33
notmorganconvince gyee that the default domain is magic enough to justify it17:33
notmorgangyee: ^ the default domain is magic, this is fine to continue the magic until v2 goes away (never?)17:34
notmorganstevemar: ^ cc17:34
navidpnotmorgan, the main issue is that DEFAULT DOMAIN IS MAGIC OR NOT ?17:35
stevemarnavidp: you've been on a mission to fix default domain :)17:35
navidpstevemar, so far yes !! :)17:36
navidpstevemar, trying to fix the MAGIC17:36
stevemartrue true17:36
stevemarjust might be one of those situations where `if it ain't broke, don't fix it`17:37
stevemarit's dicey cause of how intertwined things are17:37
notmorganput a +2 on the "don't allow default domain to be disabled" patch17:37
notmorganand commented on why17:38
notmorgani don't think the admin user argument is relevant17:38
*** diazjf has joined #openstack-keystone17:39
notmorgani think disabling the default domain is just a bad idea in general17:39
navidpnotmorgan, thanks17:39
openstackgerritAnkit Agrawal proposed openstack/keystone: Expose defect in users_in_group, groups_for_user exact filters
notmorganif you disable the domain the admin user is in... that is an edit the DB to fix things or find another admin user17:39
notmorganbut that is separate from default domain being disabled.17:39
navidpnotmorgan, which breaks v2 api17:40
ayounghenrynash, gyee  can we please put this one to bed?  Its a race with other migrations for 087.17:40
fellypefcaHey I'm new in the openstack, i want solve this bug ( ) Is the solution in the bug description updated?17:40
openstackLaunchpad bug 1385025 in openstack-manuals "Document how to configure Keystone v3 api" [Medium,In progress]17:40
ayoungnotmorgan, default domain is only necessary for V2 to v3 interop17:41
ayoungperhaps instead we should say "always keep at least one domain enabled"17:41
notmorganayoung: and since default is already magic, lets keep the magic contained17:42
ayoungfellypefca, so...I think instead of asking if it is update..try it, figure it out, and decide yourself17:42
*** afaranha has joined #openstack-keystone17:42
ayoungfellypefca, the real answer is more complicated17:42
*** breton has quit IRC17:44
fellypefcaDid you know where i can find the solution?17:44
gyeenotmorgan, I disagree that default domain is magic17:44
gyeeanything is magic if we don't do it right17:44
notmorgangyee: oh it's a large amount of magic17:44
notmorganthe v2 v3 interop and a ton of code around that17:45
notmorganit is magic17:45
notmorganwe could have avoided the need for v3 if we had done some stuff differently17:45
gyeeif someone wants to disable something, its their choice17:45
*** itlinux has quit IRC17:45
*** itlinux_ has joined #openstack-keystone17:45
*** jistr has quit IRC17:45
notmorganyeah but all of v2 breaks w/o the default domain17:45
gyeethat's their choice17:46
notmorganso my answer is we shouldn't allow that to be disabled until v2 goes away17:46
notmorgandefault domain is magic. hell it is created in a sql migration17:46
gyeeI disagree, I don't think there's anything special about the default domain17:47
gyeeit is for migration purposes17:47
gyeedisabling a domain is a workflow in production systems17:47
notmorgangyee: if we rely on it for operation [and v2 does and a lot of things are broken w/o it] i will say no this is not something that can be disabled17:47
gyeeif you change nova user password in keystone without update the auth_token section, nova will stop working17:48
gyeeare we going to disable nova user from changing password?17:48
notmorgangyee: no. keystone cannot run correctly w/o default domain17:48
notmorgani don't care about nova's external user17:49
notmorgani care that things that keystone relies on can be broken in ugly ways17:49
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements
notmorganinternal things keystone needs is different than "what nova needs" or things that depend on keystone.17:50
gyeekeystone will run fine17:50
notmorganv2 is part of defcore.17:51
gyeev2 APIs will happily return a 401 as expected17:51
gyeethat's by design17:51
notmorgangyee: so you're not going to convince me that the default domain isn't magic and should be disable-able17:51
notmorgangyee: we'll have to agree to disagree17:51
*** spandhe has joined #openstack-keystone17:52
gyeegoal is to get away from "magic"17:53
*** breton has joined #openstack-keystone17:53
notmorganmy goal is to contain the magic17:53
notmorganuntil v2 dies i don't think we can remove the magic17:54
gyeewe can't prevent someone from shooting themselves in the foot17:55
gyeeoh, lets sell guns with a disabled trigger :)17:55
notmorgangyee: we can guard against this is a terrible idea and we know it and it breaks how kestone works17:55
gyeelets ban McDonald toys17:55
notmorganif a provider doesn't want v2, don't use it.17:55
notmorgangyee: strawman argument17:55
lhindswoops, sorry wrong term17:56
*** lhinds has quit IRC17:56
notmorgangyee: again, we shall agree to disagree17:56
gyeewhy would someone want to disable the default domain to begin with? accident?17:56
bknudson_who keeps disabling the default domain?17:56
*** can8dnSix has joined #openstack-keystone17:56
bknudson_is this a common problem?17:57
gyeedon't think so17:57
gyeelike I said, disabling a domain in production is usually a workflow17:57
*** can8dnSix has quit IRC17:58
*** breton has quit IRC18:01
ayoungI never agreed to defcore.18:01
*** breton has joined #openstack-keystone18:01
ayoungKeystone already has enough cruft....let the bad ideas die18:02
*** htruta has left #openstack-keystone18:03
*** htruta has joined #openstack-keystone18:03
stevemarnotmorgan: bknudson_ squashed the changes to fix up ksa
stevemarnotmorgan: err also:
notmorganstevemar: ok cool.18:04
stevemarthat should fix all our stable branches :)18:04
*** mhickey has quit IRC18:06
*** itlinux_ has quit IRC18:06
*** KarthikB has quit IRC18:06
notmorganstevemar: 2/a18:06
brownedisabling the default domain (at least for one customer I know) happened as a result of pressing the big disable button in horizon.18:08
ayounggyee, so...TOTP.  Any reason not to use the Apache module?
browneuser error18:08
lbragstadbrowne oops18:09
* lbragstad wonders what that button does18:09
*** rderose has joined #openstack-keystone18:09
browneexactly as promised, horizon allows a user to shoot themselves in the foot my disabling the default domain if they like18:10
gyeeayoung, yes, you can do it via apache18:10
gyeeand do it via REMOTE_USER18:11
brownesorry checkbox, not button18:11
*** itlinux has joined #openstack-keystone18:12
*** spzala has joined #openstack-keystone18:12
*** topol_ has joined #openstack-keystone18:12
*** ChanServ sets mode: +v topol_18:12
openstackgerritAnkit Agrawal proposed openstack/keystone: Fix users in group and groups for user exact filters
gyeelbragstad, to launch a nuclear weapon, that button?18:13
*** topol has quit IRC18:14
*** markvoelker has quit IRC18:14
brownehere's what they did in horizon: click Domains - click Manage Members on Default -18:15
browneclick Domain Information18:15
browneuncheck Enabled18:15
lhchengbrowne: the policy file allows that, even if it is hidden in horizon the user can still disable the default domain through api. :)18:17
brownelhcheng: yeah, i don't disagree.  its just that some users don't realize unchecking that box for the Default domain affects everything.  feels like Horizon needs a warning label on it18:19
lhchengbrowne: only admin should be able to do that - not any users. Adding the warning msg should be easy to add in horizon.18:20
gyeebrowne, some user, you mean like a super admin user?18:21
*** tonytan_brb has quit IRC18:21
gyeeif super admin user don't know wtf he/she's doing, we have a bigger problem than that18:21
brownelhcheng: yep its user error and i'm sure they learn their lesson after trying it.  its just that horizon makes it easy for an uninformed user to shoot themselves in the foot18:21
lhchenggyee: only admin (v2) or cloud_admin (v3)  have access to identity panels in horizon18:22
*** ajayaa has joined #openstack-keystone18:22
brownegyee: yes admin user.  some are new to openstack.  some are doing PoCs, etc18:23
*** e0ne has joined #openstack-keystone18:23
gyeedomain is not even visible if v3 is not enable18:23
lhchenggyee: ah right.. so only cloud_admin then18:23
gyeemaybe Horizon can pop up a warning diaglog, like do you REALLY REALLY want to delete something? :-)18:24
*** itlinux has quit IRC18:28
lhchengyeah, or just prevent disabling default domain?18:28
gyeeno, I mean a confirmation screen for deleting anything18:29
gyeenot just domains18:29
lhchenggyee: there are already confirmation for deleting any records in horizon18:29
brownein this case disabling18:30
lhcheng*confirmation msg18:30
*** rderose has quit IRC18:30
*** KarthikB has joined #openstack-keystone18:30
gyeesorry, I mean disabling18:30
*** itlinux has joined #openstack-keystone18:30
*** rderose has joined #openstack-keystone18:30
*** fellypefca has left #openstack-keystone18:31
gyeesorry I have to run, lets talk later18:31
*** gyee has quit IRC18:31
lhchenggyee: yeah, that's doable18:31
browneor better yet if horizon would just detect disabling the only or last domain would prevent any authentication18:31
browneand pop up a stern warning18:32
lhchengbrowne: horizon knows the default domain, there is a config stored in horizon. Could just validate that disabling default domain is not allowed.18:34
*** jaosorior has quit IRC18:34
*** jaosorior has joined #openstack-keystone18:35
*** harlowja has quit IRC18:35
brownelhcheng: i don't think horizon treats the default domain any differently than any domain18:36
*** harlowja has joined #openstack-keystone18:36
lhchengbrowne: not yet, we could add that :)18:37
browneis there an easy workaround where the policy.json can be tweaked to not allow changes on a domain named Default?18:37
lhchengbrowne: the v3 policy file have the default_domain_id, its possible to prevent updates on default domain by updating the policy file. But this would prevent any updates, not just the 'enabled' attribute.18:39
*** edmondsw has quit IRC18:39
*** jsavak has quit IRC18:40
*** jsavak has joined #openstack-keystone18:40
*** itlinux has quit IRC18:43
lhchengbrowne: something like: "identity:update_domain": "rule:cloud_admin and not <admin_domain_id>:  %("18:43
*** afaranha has left #openstack-keystone18:43
*** topol_ has quit IRC18:44
brownelhcheng: but i guess they still might need to update the members or groups of the default domain18:44
*** edmondsw has joined #openstack-keystone18:44
browneprobably the easiest fix is to have horizon just warn18:45
*** ayoung has quit IRC18:46
*** ayoung has joined #openstack-keystone18:46
*** ChanServ sets mode: +v ayoung18:46
lhchengbrowne: or just prevent user disabling the domain the user currently scoped to..18:48
brownelhcheng: yep that would be good too18:48
*** tonytan4ever has joined #openstack-keystone18:48
lhchengthe user needs to be scoped to the default domain to be able to update domains, so the effect would be same as preventing default domain from being disabled.18:49
lhchengbrowne: file a bug in horizon, I'll work on it.18:50
browneok will do18:50
brownelhcheng: what about the current patch and bug in keystone?18:52
openstackLaunchpad bug 1522616 in OpenStack Identity (keystone) "It's possible to disable the default domain through domain update API" [Medium,In progress] - Assigned to Navid Pustchi (npustchi)18:53
*** itlinux has joined #openstack-keystone18:54
*** sigmavirus24_awa is now known as sigmavirus2418:54
*** phalmos has joined #openstack-keystone18:59
*** markvoelker has joined #openstack-keystone19:03
*** jsavak has quit IRC19:04
*** markvoelker_ has joined #openstack-keystone19:05
*** jsavak has joined #openstack-keystone19:06
*** jasonsb has quit IRC19:06
*** spzala has quit IRC19:06
openstackgerritwerner mendizabal proposed openstack/keystone-specs: Time-based One-time Password
*** e0ne has quit IRC19:08
*** markvoelker has quit IRC19:09
*** itlinux_ has joined #openstack-keystone19:13
*** ajayaa has quit IRC19:13
*** markvoelker has joined #openstack-keystone19:14
*** itlinux has quit IRC19:14
*** fawadkhaliq has quit IRC19:16
stevemarlhcheng: poke: also:
*** markvoelker_ has quit IRC19:17
*** petertr7_away is now known as petertr719:20
openstackgerritRoxana Gherle proposed openstack/keystone: Allow '_' character in id_string parameter type
*** KarthikB has quit IRC19:22
*** phalmos has quit IRC19:23
*** itlinux has joined #openstack-keystone19:25
*** phalmos has joined #openstack-keystone19:26
lhchengstevemar: would putting an upper constraint on pycadf also fix the issue on KSM (liberty)?19:27
*** itlinux_ has quit IRC19:28
*** c_soukup has joined #openstack-keystone19:29
*** timcline_ has joined #openstack-keystone19:29
*** vgridnev_ has joined #openstack-keystone19:29
*** spandhe_ has joined #openstack-keystone19:31
*** breton_ has joined #openstack-keystone19:31
*** jraim_ has joined #openstack-keystone19:32
*** dims_ has joined #openstack-keystone19:33
henrynashayoung: on if we add calls to does_fk_exist() in your tets case, it gets a +2 from me19:33
*** dims has quit IRC19:34
*** wasmum- has joined #openstack-keystone19:35
*** itlinux has quit IRC19:35
*** powerbsd has joined #openstack-keystone19:36
*** bradjones_ has joined #openstack-keystone19:37
*** bradjones_ has quit IRC19:37
*** bradjones_ has joined #openstack-keystone19:37
*** stevemar_znc has joined #openstack-keystone19:37
*** itlinux has joined #openstack-keystone19:38
henrynashbrowne, gyee: the domain name IS in the token, so you could write a policy rule for update domain that prevented it working for teh default domain19:38
*** breton has quit IRC19:38
*** spandhe has quit IRC19:38
*** csoukup has quit IRC19:38
*** timcline has quit IRC19:38
*** mserngawy_ has quit IRC19:38
*** zqfan has quit IRC19:38
*** vgridnev has quit IRC19:38
*** bradjones has quit IRC19:38
*** nkinder has quit IRC19:38
*** jorge_munoz has quit IRC19:38
*** alexpro has quit IRC19:38
*** albertom has quit IRC19:38
*** briancurtin has quit IRC19:38
*** sileht has quit IRC19:38
*** wasmum has quit IRC19:38
*** stevemar has quit IRC19:38
*** jraim has quit IRC19:38
*** bradjones_ is now known as bradjones19:38
*** powerbsd is now known as albertom19:38
dolphmmarekd: around?19:38
*** spandhe_ is now known as spandhe19:39
*** spzala_ has joined #openstack-keystone19:39
*** stevemar_znc is now known as stevemar19:40
*** ChanServ sets mode: +o stevemar19:40
*** nkinder has joined #openstack-keystone19:40
*** lhcheng_ has joined #openstack-keystone19:40
*** jraim_ is now known as jraim19:40
*** stevemar changes topic to "MidCycle: | Mitaka-2:"19:40
*** mserngawy_ has joined #openstack-keystone19:41
*** sileht has joined #openstack-keystone19:42
*** lhcheng has quit IRC19:43
*** tqtran has joined #openstack-keystone19:45
*** sigmavirus24 is now known as sigmavirus24_awa19:45
*** zqfan has joined #openstack-keystone19:45
*** briancurtin has joined #openstack-keystone19:46
*** sigmavirus24_awa is now known as sigmavirus2419:48
*** itlinux has quit IRC19:53
ayounghenrynash, roger.  will fix19:54
henrynashayoung: I await your every key strokeā€¦.19:54
*** jasonsb has joined #openstack-keystone19:54
*** dims_ has quit IRC20:00
*** itlinux has joined #openstack-keystone20:03
*** diazjf1 has joined #openstack-keystone20:04
*** diazjf has quit IRC20:04
openstackgerritTom Cocozzello proposed openstack/keystone: Fix py34 problems in test_middleware
*** phalmos has quit IRC20:07
openstackgerritTom Cocozzello proposed openstack/keystone: Fix py34 problems in test_middleware
*** KarthikB has joined #openstack-keystone20:10
*** dhellmann has quit IRC20:11
*** c_soukup has quit IRC20:12
*** topol has joined #openstack-keystone20:12
*** ChanServ sets mode: +v topol20:12
*** dims has joined #openstack-keystone20:12
openstackgerritayoung proposed openstack/keystone: SQL migrations for implied roles
*** tsymanczyk has joined #openstack-keystone20:16
*** tsymanczyk is now known as Guest7494020:17
*** ayoung has quit IRC20:19
*** dims has quit IRC20:19
*** Guest26209 has quit IRC20:20
*** Guest74940 has quit IRC20:21
*** dims has joined #openstack-keystone20:22
*** adam_g has joined #openstack-keystone20:22
*** phalmos has joined #openstack-keystone20:23
*** openstackgerrit has quit IRC20:23
*** dims has quit IRC20:23
*** openstackgerrit has joined #openstack-keystone20:24
*** jasonsb has quit IRC20:25
*** timcline_ has quit IRC20:26
*** jsavak has quit IRC20:27
openstackgerrithenry-nash proposed openstack/keystone: Correct docstrings for federation driver interface
*** jsavak has joined #openstack-keystone20:30
*** slberger1 has joined #openstack-keystone20:33
*** timcline has joined #openstack-keystone20:34
*** slberger has quit IRC20:36
*** ayoung has joined #openstack-keystone20:39
*** ChanServ sets mode: +v ayoung20:39
*** dims has joined #openstack-keystone20:39
ayoungdstanek, can you please pull the trigger on  as i am trying to avoid a rebase due to the sql alchemy naming convention for upgrades20:41
openstackgerritayoung proposed openstack/keystone: backend for implied roles
*** itlinux has quit IRC20:42
dstanekayoung: sure, i look in jas20:42
ayoungTYVM dstanek20:42
stevemarnavidp: o/ just replied to your email20:44
navidp\0/ thanks20:44
openstackgerritBrant Knudson proposed openstack/keystone: Reference driver methods through the Manager
*** ninag has quit IRC20:45
bknudson_lbragstad: was merged with only 1 +2?20:47
*** petertr7 is now known as petertr7_away20:48
*** c_soukup has joined #openstack-keystone20:50
*** petertr7_away is now known as petertr720:51
*** zqfan has quit IRC20:51
*** itlinux has joined #openstack-keystone20:52
openstackgerritBrant Knudson proposed openstack/keystone: Use assertIn to check if collection contains value
stevemarbknudson_: considering lbragstad +A'ed, he probably meant to +2, but #gerritUI20:53
lbragstadsorry about that20:53
lbragstad#gerritUI #fail20:53
bknudson_ok, no surprise the gerrit ui is weird20:54
bknudson_it changes the text when you hover or something20:54
stevemarbknudson_: the only guy that complains when his stuff is merged20:54
bknudson_y, the text changes when you hover over the bullet20:54
lbragstadbknudson_ that's strange. i noticed that earlier20:55
stevemarit is very weird20:55
stevemarit's unusable on a phone now20:55
*** jasonsb has joined #openstack-keystone20:55
stevemarthe old UI wasn't great, but it was usable on a phone20:55
lbragstadstevemar just get a bigger phone :)20:55
stevemarnow i can't even comment20:55
lbragstadeverything is usable with a bigger phone20:55
stevemarlbragstad: nah, i can't even leave a comment with the "reply" button now20:56
notmorgandstanek: what was the result of our convo re enforcement20:58
notmorgandstanek: do we care about early bail out?20:58
notmorganbknudson_, stevemar: looking to remove the @protected decorator and the complexity so we call .enforce directly. Should we just enforce at the end when we have all the data or should we exit early when we can enforce at the start and save CPU/etc?21:00
bknudson_I agree the decorator isn't helping much when it's gotten as complicated as it has.21:00
bknudson_we should enforce early to save cpu21:01
bknudson_otherwise it's a denial-of-service21:01
notmorganbknudson_: ok so we should do like nova and call enforce in the method itself.21:01
notmorgannot try and be clever21:01
bknudson_clever isn't helpful21:01
stevemari don't really see the harm in the current implementation21:01
notmorgani am planning on still using a decorator to annotate a method should enforce and if it doesn't enforce we will throw an error21:01
notmorganstevemar: the callback thing is hard to follow and we're using it more and more.21:02
stevemarit is hard to follow, i'll grant you that21:02
notmorganstevemar: the whole reason we have the callback thing is cause we can't enforce at the start/end easily21:02
notmorganso i think we should simplify21:02
bknudson_y, the callback makes it hard to follow21:02
notmorganand it forces extra re-implementations all over21:02
notmorgansince the callback has to do all the same work as the @protected thing21:03
bknudson_it would help to see an example where @protected is removed21:03
*** raildo is now known as raildo-afk21:04
notmorganbknudson_: the logic will just become a method on the controller and you'll call self.enforce()21:04
*** petertr7 is now known as petertr7_away21:04
*** rdo has quit IRC21:04
notmorganit will look like nova's implementation21:04
*** petertr7_away is now known as petertr721:05
*** rdo has joined #openstack-keystone21:06
dstaneknotmorgan: i like the idea of bailing early21:08
stevemardstanek: don't we bail early now?21:08
dstanekstevemar: yes, but we were discussing options early21:08
*** itlinux has quit IRC21:09
dstanekayoung: not sure if you saw, but i did the review21:09
stevemardstanek: thanks for reviewing ayoung's, it was next on my list21:10
*** itlinux has joined #openstack-keystone21:10
bknudson_if (hasattr(self, 'get_member_from_driver') and -- spooky action at a distance21:10
ayoungdstanek, thanks21:11
dstanekstevemar: ayoung: my pleasure21:11
notmorganbknudson_: and just go look at the role assignment stuff with the callbacks21:15
stevemarlhcheng_: heads up that gordc replied to you here:
notmorganbknudson_: even spookier21:15
stevemarbknudson_: thanks for rebasing21:15
bknudson_stevemar: I'm trying to figure out why things keep failing21:15
lhcheng_stevemar: thanks, checking21:15
stevemarbknudson_: refer to that cross project spec for backwards compat21:16
notmorganwhat is the right way to lookup class/method name from a f in a decorator?21:16
stevemarheads up everyone, i'll be tagging stable releases for our libraries, ksa, ksc, ksm, and a stable release of keystone itself for liberty. get your backports in!!! dolphm ayoung dstanek henrynash lhcheng_ marekd notmorgan lbragstad gyee_needs_a_bouncer jamielennox21:19
notmorganseriously gyee_needs_a_bouncer21:19
stevemartjcocozz: hey tom, anyway you can squash these 2 commits? and -- add yourself as a co-author21:20
openstackgerritBrant Knudson proposed openstack/keystoneauth: Switch saml2 from lxml to built-in xml
tjcocozzstevemar, what should i do?21:21
tjcocozzstevemar, just put them into 1 commit?21:22
stevemartjcocozz: checkout ankit's change, and add yours into them21:22
stevemartjcocozz: you coming to midcycle too right?21:22
stevemardid we get you approval?21:22
tjcocozzstevemar, sounds g.  Doing it now.  Yes i will be there :)21:22
stevemartjcocozz: yippie!21:22
lbragstadcan we bbq?21:23
tjcocozzstevemar, I am excited!21:23
stevemarlbragstad: we can definitely bbq21:23
stevemartjcocozz: glad to hear that :)21:23
*** slberger1 has quit IRC21:25
*** slberger has joined #openstack-keystone21:25
notmorganis .__name__ python3 compat?21:29
stevemarit looks like we'll be getting lunches served to us during the midcycle :)21:30
notmorganfor like type(self).__name__ or is there a better way to get the classname?21:30
openstackgerritTom Cocozzello proposed openstack/keystone: Replace unicode with six.text_type
*** topol has quit IRC21:34
tjcocozzstevemar, hold off on a vote, i am booting up a different vm to run py3421:34
dstaneknotmorgan: that's the way i do in for py2 and py321:38
*** peter-hamilton has quit IRC21:40
tjcocozzstevemar, yea it passes py3421:41
openstackgerritTom Cocozzello proposed openstack/keystone: Replace unicode with six.text_type
notmorgandstanek: so self.__name__ and f.__name__ should be sufficient?21:41
openstackgerritBrant Knudson proposed openstack/keystone: De-duplicate fernet payload tests
openstackgerrithenry-nash proposed openstack/keystone: Implement manager and backend changes for implied roles
dstaneknotmorgan: i usually get the type using obj.__class__ though21:46
openstackgerrithenry-nash proposed openstack/keystone: Implied Roles API
notmorgandstanek: yeah.21:47
notmorgandstanek: thnx21:47
dstaneknotmorgan: np21:47
*** itlinux has quit IRC21:48
anteayastevemar: oh you are at the ibm offices in austin, I suggest you make sure they have wifi21:49
openstackgerritNavid Pustchi proposed openstack/keystone: Delete checks for default domain delete
anteayalast year for cinder sprint they didn't21:49
anteaya3 days of everyone tethering from phones21:50
*** phalmos has quit IRC21:50
*** mserngawy_ has quit IRC21:50
*** wasmum- has quit IRC21:50
*** jaosorior has quit IRC21:50
*** boris-42 has quit IRC21:50
*** gsilvis has quit IRC21:50
*** phalmos has joined #openstack-keystone21:51
*** mserngawy_ has joined #openstack-keystone21:51
*** wasmum- has joined #openstack-keystone21:51
*** jaosorior has joined #openstack-keystone21:51
*** boris-42 has joined #openstack-keystone21:51
*** gsilvis has joined #openstack-keystone21:51
*** itlinux has joined #openstack-keystone21:57
*** ayoung has quit IRC21:58
stevemaranteaya: yep, got that taken care of22:02
stevemaranteaya: we'll be in the actual visitor area, they have good quality guest wifi22:04
anteayagood call22:05
notmorganbknudson_: ok this is a sign i this decorator needs to go, it's damn near impossible to follow and I'm familiar with it. wow this is doing too much stuff22:06
*** vgridnev_ has quit IRC22:07
*** rderose has quit IRC22:08
*** gsilvis has quit IRC22:09
*** gsilvis has joined #openstack-keystone22:10
*** jsavak has quit IRC22:12
*** itlinux has quit IRC22:14
*** diazjf1 has quit IRC22:19
*** petertr7 is now known as petertr7_away22:22
bknudson_I like how nova is removing the ec2 API stuff ... we should do the same in keystone.22:23
stevemarbknudson_: in lieu of ec2apiutils or something right?22:24
jamielennoxbknudson_: as i understand it our ec2 is actually being used22:24
*** timcline has quit IRC22:24
bknudson_t, there's a separate project22:24
jamielennoxeveryone who didn't want to do trusts realized that the ec2 interface essentially gave you long run logins without a password22:25
*** diazjf has joined #openstack-keystone22:25
bknudson_looks like they're having rst problems.22:26
bknudson_it's still openstack it's just not in their tree22:27
slbergerJan 07 22:20:19 oc-mon01-sie-keystone-0 systemd[1]: Reloading The Apache HTTP Server.22:28
slbergerJan 07 22:20:19 oc-mon01-sie-keystone-0 httpd[25575]: httpd: Syntax error on line 353 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/keystone.conf: Cannot load /usr/lib64/httpd/modules/ into server: /usr/lib64/httpd/modules/ cannot open shared object file: No such file or directory22:28
slbergerJan 07 22:20:19 oc-mon01-sie-keystone-0 systemd[1]: httpd.service: control process exited, code=exited status=122:28
slbergerJan 07 22:20:19 oc-mon01-sie-keystone-0 systemd[1]: Reload failed for The Apache HTTP Server.22:28
bknudson_proposed gate job to run keystone under uwsgi rather than eventlet:
*** itlinux has joined #openstack-keystone22:31
bknudson_and here's the devstack change to run keystone under uwsgi :
*** itlinux has quit IRC22:33
notmorganbknudson_: nice22:36
*** itlinux has joined #openstack-keystone22:36
*** gyee has joined #openstack-keystone22:36
*** ChanServ sets mode: +v gyee22:36
slbergersorry wrong chat22:37
*** spzala_ has quit IRC22:37
*** spandhe has quit IRC22:39
*** spandhe has joined #openstack-keystone22:41
*** tonytan4ever has quit IRC22:42
*** itlinux has quit IRC22:43
*** spzala has joined #openstack-keystone22:47
*** lhcheng_ has quit IRC22:48
*** spzala_ has joined #openstack-keystone22:48
notmorganstevemar, bknudson_: so looks like actually broke folks in production22:49
notmorganstevemar, bknudson_: while it is a "security-ish" issue, we may want to revert it for master, kilo, and liberty22:49
bknudson_we backported it?22:50
notmorganthey were, unfortunately, relying on the behavior of getting a v2 token for a v3 user in a non-default domain22:50
notmorganbknudson_: yes, to kilo22:50
*** jsavak has joined #openstack-keystone22:50
notmorganbknudson_: and the liberty rollout broke folks.22:50
* notmorgan tries to think if reverting it really exposes a lot.22:50
*** spzala has quit IRC22:51
bknudson_"v2 not seeing non-default domain objects" leads to weird behavior22:51
notmorganit does.22:51
notmorgani'm just not sure if it is a security flaw.22:52
notmorganmaybe we can just ban v2 actions on keystone without blocking token issuance22:52
notmorganfor non-default domain users.22:52
*** diazjf has quit IRC22:53
*** spzala_ has quit IRC22:53
bknudson_I don't see any security issue mentioned in the bugs.22:53
notmorganthere was some limited mention but it was classifed as no-OSSA22:54
notmorganso i'm not super worried about a revert22:54
*** jsavak has quit IRC22:55
bknudson_notmorgan: just checking -- it's not because they have auth_token middleware configured for v2?22:55
notmorganbknudson_: no this is a user authing to get a token from keystone22:56
notmorganand then using that info to talk to swift22:56
*** jsavak has joined #openstack-keystone22:56
notmorganbut they are authing a non-default-domain user against v2 auth22:56
bknudson_they must be getting the token by user ID22:56
notmorganyes they are using user_id and tenant_id22:56
bknudson_it was an oversight and a bug but I can't see any security issue22:57
bknudson_the token info returned isn't going to be correct22:57
bknudson_which might confuse someone's obscure policy.json if they were relying on domain IDs22:58
*** c_soukup has quit IRC22:58
openstackgerritMorgan Fainberg proposed openstack/keystone: Revert "Validate domain ownership for v2 tokens"
notmorganbknudson_: ^22:59
notmorganbknudson_: yeah.22:59
notmorganbknudson_: but scope is pretty well protected.22:59
bknudson_can we make it a config option?23:00
notmorganwe can for master23:00
notmorganwe can't for stable/*23:00
notmorganwhich is important to revert as well.23:00
*** spandhe has quit IRC23:00
*** dims_ has joined #openstack-keystone23:00
notmorganso maybe revert it all, and then revert the revert with the added config?23:00
*** dims has quit IRC23:01
bknudson_ says "Cannot merge" for some reason... weird23:01
notmorganbknudson_: huh23:01
notmorganlet me pull it down.23:01
notmorganah new gerrit revert botton is weird23:02
notmorganok this needs some other fixing in the tests23:02
bknudson_here we go with more gerrit ui weirdness23:02
*** jorge_munoz has joined #openstack-keystone23:03
bknudson_it's funny we had specific tests that says it works to validate non-default users using v2.23:03
notmorganyah right?23:03
notmorganexpected behavior23:03
bknudson_didn't we always reject validating a token that wasn't in the default domain using v2?23:05
bknudson_I thought I ran into this with auth_token middleware when it was using v223:05
notmorganbknudson_: aparantly not23:05
*** nkinder has quit IRC23:09
*** sigmavirus24 is now known as sigmavirus24_awa23:12
*** tonytan4ever has joined #openstack-keystone23:14
*** tonytan4ever has quit IRC23:18
stevemarnotmorgan: related bug:
openstackLaunchpad bug 1527759 in OpenStack Identity (keystone) "Default domain no longer lets keystone tenant-list work" [Undecided,New]23:18
*** phalmos has quit IRC23:18
notmorganthis is an ugly revert fwiw23:19
notmorganbecause so much has changed.23:20
bknudson_add a config option and default to the old behavior23:23
*** jasonsb has quit IRC23:23
notmorganbknudson_: i am disinclined to even offer it as an option. most (all?) deployments don't really flip those types of opt-in things23:23
notmorganand it's cruft we have to carry.23:25
*** gordc has quit IRC23:28
*** spandhe has joined #openstack-keystone23:32
*** spandhe has quit IRC23:32
*** spandhe has joined #openstack-keystone23:38
*** dims_ has quit IRC23:39
*** doug-fish has quit IRC23:41
notmorganbknudson_: omg our tests don't actually test what we want.23:44
*** dims_ has joined #openstack-keystone23:45
notmorganbknudson_: oh wait nvm23:46
notmorgani was mis-reading the test23:46
*** ayoung has joined #openstack-keystone23:48
*** ChanServ sets mode: +v ayoung23:48
*** jsavak has quit IRC23:48
*** shoutm has joined #openstack-keystone23:48
*** dims_ has quit IRC23:50
openstackgerritHenrique Truta proposed openstack/keystone: Replace tenant for project in resource files
openstackgerritHenrique Truta proposed openstack/keystone: Create V9 version of resource driver interface
*** shoutm has quit IRC23:53
*** spandhe has quit IRC23:54
openstackgerritMorgan Fainberg proposed openstack/keystone: Revert "Validate domain ownership for v2 tokens"
*** shoutm has joined #openstack-keystone23:56
*** KarthikB has quit IRC23:57
notmorganbknudson_: ^23:57

Generated by 2.14.0 by Marius Gedminas - find it at!